From a4d1f0ad52e2cf6f168d2193216602f52033fc27 Mon Sep 17 00:00:00 2001
From: Fraunhofer IIS FDK <audio-fdk@iis.fraunhofer.de>
Date: Wed, 23 May 2018 18:26:27 +0200
Subject: FDKv2 ubsan patches

Bug: 80053205
Test: see bug for repro with FB "wow"
   atest DecoderTestAacDrc

Fix signed integer overflows in CLpc_SynthesisLattice()

Change-Id: Icbddfcc8c5fc73382ae5bf8c2a7703802c688e06

Fix signed integer overflows in imlt

Change-Id: I687834fca2f1aab6210ed9862576b4f38fcdeb24

Fix overflow in addLowbandEnergies()

Change-Id: Iaa9fdf9deb49c33ec6ca7ed3081c4ddaa920e9aa

Concealment fix for audio frames containing acelp components

Change-Id: Ibe5e83a6efa75a48f729984a161a76b826878f4e

Fix out-of-bounds access in PS concealment

Change-Id: I08809a03a40d1feaf00e41278db314d67e1efe88

Fix potential memory leak in setup of qmf domain

Change-Id: Id9fc2448354dc7f1b439469128407305efa3def2

Reject channel config 13

Change-Id: Idf5236f6cd054df994e69c9c972c97f6768cf9e5

Fix unsigned integer overflow in configExtension()

Change-Id: I8a1668810b85e6237c3892891444ff08f04b019b

Fix unsigned integer overflow in CAacDecoder_DecodeFrame()

Change-Id: I79678c571690178e6c37680f70a9b94dd3cbc439

Fix unsigned integer overflow in aacDecoder_UpdateBitStreamCounters()

Change-Id: I3bff959da9f53fabb18cd0ae6c260e6256194526

Fix unsigned integer overflow in transportDec_readStream()

Change-Id: I6a6f9f4acaa32fae0b5de9641f8787bbc7f8286b
---
 libAACdec/src/aacdecoder.cpp     |  7 ++-----
 libAACdec/src/aacdecoder_lib.cpp |  6 +++---
 libAACdec/src/conceal.cpp        |  4 ++--
 libAACdec/src/usacdec_acelp.cpp  | 11 +++++++++--
 libAACdec/src/usacdec_acelp.h    |  3 ++-
 libAACdec/src/usacdec_lpd.cpp    |  2 +-
 6 files changed, 19 insertions(+), 14 deletions(-)

(limited to 'libAACdec/src')

diff --git a/libAACdec/src/aacdecoder.cpp b/libAACdec/src/aacdecoder.cpp
index 3cbdffd..b8b1327 100644
--- a/libAACdec/src/aacdecoder.cpp
+++ b/libAACdec/src/aacdecoder.cpp
@@ -1589,9 +1589,6 @@ CAacDecoder_Init(HANDLE_AACDECODER self, const CSAudioSpecificConfig *asc,
     case 14:
       ascChannels = 8;
       break;
-    case 13: /* 22.2 setup */
-      ascChannels = 24;
-      break;
     default:
       return AAC_DEC_UNSUPPORTED_CHANNELCONFIG;
   }
@@ -2837,7 +2834,7 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
               /* usacExtElementStop = 1; */
             }
 
-            usacExtBitPos = FDKgetValidBits(bs);
+            usacExtBitPos = (INT)FDKgetValidBits(bs);
 
             USAC_EXT_ELEMENT_TYPE usacExtElementType =
                 self->pUsacConfig[streamIndex]
@@ -2862,7 +2859,7 @@ LINKSPEC_CPP AAC_DECODER_ERROR CAacDecoder_DecodeFrame(
 
             /* Skip any remaining bits of extension payload */
             usacExtBitPos = (usacExtElementPayloadLength * 8) -
-                            (usacExtBitPos - FDKgetValidBits(bs));
+                            (usacExtBitPos - (INT)FDKgetValidBits(bs));
             if (usacExtBitPos < 0) {
               self->frameOK = 0;
               ErrorStatus = AAC_DEC_PARSE_ERROR;
diff --git a/libAACdec/src/aacdecoder_lib.cpp b/libAACdec/src/aacdecoder_lib.cpp
index e62d187..cd112b6 100644
--- a/libAACdec/src/aacdecoder_lib.cpp
+++ b/libAACdec/src/aacdecoder_lib.cpp
@@ -1082,15 +1082,15 @@ static void aacDecoder_UpdateBitStreamCounters(CStreamInfo *pSi,
 
   /* bit/byte counters */
   {
-    int nBytes;
+    INT nBytes;
 
     nBytes = nBits >> 3;
-    pSi->numTotalBytes += nBytes;
+    pSi->numTotalBytes = (UINT)((INT)pSi->numTotalBytes + nBytes);
     if (IS_OUTPUT_VALID(ErrorStatus)) {
       pSi->numTotalAccessUnits++;
     }
     if (IS_DECODE_ERROR(ErrorStatus)) {
-      pSi->numBadBytes += nBytes;
+      pSi->numBadBytes = (UINT)((INT)pSi->numBadBytes + nBytes);
       pSi->numBadAccessUnits++;
     }
   }
diff --git a/libAACdec/src/conceal.cpp b/libAACdec/src/conceal.cpp
index 91ba488..a6064b6 100644
--- a/libAACdec/src/conceal.cpp
+++ b/libAACdec/src/conceal.cpp
@@ -158,8 +158,8 @@ amm-info@iis.fraunhofer.de
 #define CONCEAL_NOT_DEFINED ((UCHAR)-1)
 
 /* default settings */
-#define CONCEAL_DFLT_FADEOUT_FRAMES (0)
-#define CONCEAL_DFLT_FADEIN_FRAMES (0)
+#define CONCEAL_DFLT_FADEOUT_FRAMES (6)
+#define CONCEAL_DFLT_FADEIN_FRAMES (5)
 #define CONCEAL_DFLT_MUTE_RELEASE_FRAMES (0)
 
 #define CONCEAL_DFLT_FADE_FACTOR (0.707106781186548f) /* 1/sqrt(2) */
diff --git a/libAACdec/src/usacdec_acelp.cpp b/libAACdec/src/usacdec_acelp.cpp
index ec4437f..af1f488 100644
--- a/libAACdec/src/usacdec_acelp.cpp
+++ b/libAACdec/src/usacdec_acelp.cpp
@@ -1116,7 +1116,8 @@ void CLpd_AcelpPrepareInternalMem(const FIXP_DBL *synth, UCHAR last_lpd_mode,
                                   const FIXP_LPC *A_new, const INT A_new_exp,
                                   const FIXP_LPC *A_old, const INT A_old_exp,
                                   CAcelpStaticMem *acelp_mem,
-                                  INT coreCoderFrameLength, UCHAR lpd_mode) {
+                                  INT coreCoderFrameLength, INT clearOldExc,
+                                  UCHAR lpd_mode) {
   int l_div =
       coreCoderFrameLength / NB_DIV; /* length of one ACELP/TCX20 frame */
   int l_div_partial;
@@ -1154,6 +1155,13 @@ void CLpd_AcelpPrepareInternalMem(const FIXP_DBL *synth, UCHAR last_lpd_mode,
             &syn[PIT_MAX_MAX + L_INTERPOL - M_LP_FILTER_ORDER],
             M_LP_FILTER_ORDER * sizeof(FIXP_DBL));
 
+  if (clearOldExc) {
+    FDKmemclear(old_exc_mem, (PIT_MAX_MAX + L_INTERPOL) * sizeof(FIXP_DBL));
+    C_ALLOC_SCRATCH_END(synth_buf, FIXP_DBL,
+                        PIT_MAX_MAX + L_INTERPOL + M_LP_FILTER_ORDER);
+    return;
+  }
+
   /* update past [PIT_MAX_MAX+L_INTERPOL] samples of exc memory */
   if (last_lpd_mode == 1) {        /* last frame was TCX20 */
     if (last_last_lpd_mode == 0) { /* ACELP -> TCX20 -> ACELP transition */
@@ -1170,7 +1178,6 @@ void CLpd_AcelpPrepareInternalMem(const FIXP_DBL *synth, UCHAR last_lpd_mode,
     int exc_A_new_length = (coreCoderFrameLength / 2 > PIT_MAX_MAX + L_INTERPOL)
                                ? PIT_MAX_MAX + L_INTERPOL
                                : coreCoderFrameLength / 2;
-
     int exc_A_old_length = PIT_MAX_MAX + L_INTERPOL - exc_A_new_length;
     E_UTIL_residu(A_old, A_old_exp, syn, old_exc_mem, exc_A_old_length);
     E_UTIL_residu(A_new, A_new_exp, &syn[exc_A_old_length],
diff --git a/libAACdec/src/usacdec_acelp.h b/libAACdec/src/usacdec_acelp.h
index 593a073..9de41ff 100644
--- a/libAACdec/src/usacdec_acelp.h
+++ b/libAACdec/src/usacdec_acelp.h
@@ -238,7 +238,8 @@ void CLpd_AcelpPrepareInternalMem(const FIXP_DBL *synth, UCHAR last_lpd_mode,
                                   const FIXP_LPC *A_new, const INT A_new_exp,
                                   const FIXP_LPC *A_old, const INT A_old_exp,
                                   CAcelpStaticMem *acelp_mem,
-                                  INT coreCoderFrameLength, UCHAR lpd_mode);
+                                  INT coreCoderFrameLength, INT clearOldExc,
+                                  UCHAR lpd_mode);
 
 /**
  * \brief Calculate zero input response (zir) of the acelp synthesis filter
diff --git a/libAACdec/src/usacdec_lpd.cpp b/libAACdec/src/usacdec_lpd.cpp
index 4ce6699..22069a6 100644
--- a/libAACdec/src/usacdec_lpd.cpp
+++ b/libAACdec/src/usacdec_lpd.cpp
@@ -1776,7 +1776,7 @@ AAC_DECODER_ERROR CLpd_RenderTimeSignal(
               pAacDecoderChannelInfo->data.usac.lp_coeff[k],
               pAacDecoderChannelInfo->data.usac.lp_coeff_exp[k], lp_prev,
               lp_prev_exp, &pAacDecoderStaticChannelInfo->acelp, lFrame,
-              mod[k]);
+              (last_frame_lost && k < 2), mod[k]);
         }
       } else {
         if (k == 0 && pAacDecoderStaticChannelInfo->IMdct.ov_offset !=
-- 
cgit v1.2.3